On Wed, Nov 3, 2021, 6:33 PM Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
On Wed, Nov 3, 2021 at 5:11 PM Karl <gmkarl@gmail.com> wrote:
the guy wasn't from openpgp.org, and coderman posted it to this list in
2019: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
the new keyserver is called hockeypuck I believe.
Hi Karl,
Why do you still rely on OpenPGP WoT signatures, when it comes to cryptography? If we both or you with others would use an offline device for key pair creation (and message generation) and then say would use NaClbox or age, for example, you don't have to deal with all this key management stuff, which is IMHO really annoying, when you have to use PGP on a daily basis, with several communication partners.
Well, - the spampost was on os media verification, which is not available via age. this is the biggest reason and should be obvious. here are other scattered reasons: - you may not be aware, but WoT is not anything anyone is forcing you to do, pgp can operate without it, but it is a feature I would expect a good asymmetric cryptography system to support - pgp works fine on an offline device as you propose - pgp is a well-recognised standard that has undergone extensive review and normalisation, and is likely open to processes of further improvement - I don't know why you would say this strange thing you are saying, but I am interesting in learning modern approaches like age - go is kind googley to me, I worry its internal architecture may not defend interests of other communities, it would be nice if we had accessible transpiling to maintain language-agnostic tools soon However of course, - pgp is old, so people trying to misuse it know it very well. not likely so true of other things. - pgp is somewhat cumbersome in many ways needlessly The (Open)BSD folks, for example, switched long ago to signify,
openbsd is incredible but they have indicated trust of infrastructure and governments, unsure why
for package signing and sequoia-pgp (Testimonial by Mr. Zimmermann) no longer uses key signing for a WoT.
haven't looked at sequoia-pgp, haven't always gotten too much into this stuff do you argue against keysigning because of the dangers produced by spreading documentation of personal connections? it seems like an important trust mechanism to provide for people who can hold any risk of using it. obviously without an out of band channel for cryptographic trust you have no way of knowing anything on the internet is real